Transaction processor responsible for credit card security breach

NEW YORK: Major credit card issuers are still assessing the extent of damage caused by a security breach at a processing firm announced by MasterCard last Friday. They are still not sure which customer accounts have been intruded into and are waiting for details from MasterCard and Visa on the possible targeted accounts.

The breach, according to the card issuers, affected about 20 million Visa holders, 14 million MasterCard holders and 6 million holders of American Express and other card brands.

MasterCard said it suspects data from roughly 200,000 accounts have been stolen in the incident. Card issuers like Citigroup, J. P. Morgan Chase and MBNA are monitoring their respective accounts.

The security breach had occurred in May at CardSystems Solutions, an Atlanta-based company that processes credit card payments for small and medium-sized merchant firms.

The firm said it does not know how its system was hacked or whether the intrusion took place from inside or outside the company. The breach was detected at its Tucson, Arizona, processing center.

John Perry, CardSystems’ chief executive officer when asked about cause, culprit and how simply said: “We don’t know. This is very early in the investigation.”

CardSystems processes payments for more than 105,000 businesses. It handled more than $15 billion in transactions for MasterCard, Visa, Discover and American Express last year.

The firm admitted it had stored information on thousands of cardholders — their names, account numbers and security codes — violating rules of MasterCard and Visa, for “purposes of research”. The idea was to assess why certain transactions were never authorized or completed.

Perry said account numbers, names and expiration dates were stored in an “exception file.” The file contained accounts with transactions unable to be processed.

However, the file did not contain information used in identity theft, such as Social Security numbers or birth dates, a MasterCard spokesperson said.

Both Visa and MasterCard have started giving lists of their affected accounts.

The U.S. Public Interest Research Group advised credit card holders to wait for notices from their respective banks. The Group’s consumer program director, Edmund Mierzwinski, said, “In the interim, if consumers have the ability to check credit and checking accounts online they should do that and if not, they should open and review their statements very carefully the next couple of months.”

MasterCard clarified that it “does not allow processors that are in violation of our rules to process transactions”. The company said it detected rule violations by CardSystems only when it began investigating this spring.

Visa had carried out a security audit of CardSystems in December 2003 and certified that the firm has been complying with the security regulations. It had not found any breaches until mid-May.

A spokesperson for Visa said, “When we investigated, that’s when we knew they were storing the data, and that’s when they fell out of compliance.”

As per service conditions, Visa could levy a fine up to $500,000 on the firm. Visa has nearly 150 such service providers around the globe, all of which follow the strict security audits. It said it is planning to review the security audits from retailers and other businesses that accept its cards.

Meanwhile, major banks in the U.S. and elsewhere are asking Visa and Mastercard holders who may have used their cards in the United States or online in the past six months to check their statements.